Sections

A favourite among privacy advocates, Tor network may have been compromised

American cyber security activist Jacob Appelbaum, wearing a shirt with the Tor onion logo, and activist Jillian York speak at the 2014 re:publica conferences on digital society on May 6, 2014 in Berlin, Germany.Photo: Photo by Sean Gallup/Getty Images

One of the most important online privacy tools came under attack this year, although the full scale of the problem is still unknown.

Tor, free software that allows for anonymous browsing, is used by activists, journalists and many others who have reason not to leave digital fingerprints behind. Unlike a regular browser, which connects directly to websites, Tor works by bouncing encrypted internet traffic through a network of relays that make it hard for third parties to track exactly where someone is going and what they are looking at.

For more than five months, however, more than a hundred relays were added to the Tor network that tried to spy on users.

“On July 4 2014 we found a group of relays that we assume were trying to deanonymize users,” the non-profit Tor Project wrote in a blog post Wednesday.

The attack appears to have targeted people involved with Tor hidden services, part of the so-called Deep Web that is only accessible to people using Tor and which doesn’t show up in Google searches. Tor hidden services include things like messaging and email applications, news and whistleblowing sites, as well as more controversial services devoted to pornography and illicit activities.

“We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up),” read the Tor blog post. “The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service.”

It’s not clear who was trying to spy on the Tor network and how much data they siphoned off, but researchers from Carnegie Mellon’s Computer Emergency Response Team are the most likely suspects. The team was set to give a public presentation earlier this year on how to deanonymize Tor but cancelled after backlash from privacy advocates.

Tor Project spokesperson Runa Sandvik told the technology site Gizmodo that based on the abstract the researchers wrote for their aborted presentation, “the attack did successfully deanonymize users and hidden services.”

While a group of researchers may not sound particularly threatening, a vulnerability like this could also have been used by more nefarious actors.

Tor and similar privacy tools have become a topic of some urgency since details of widespread government spying came to light as a result of Edward Snowden’s intelligence leaks. Documents suggest spy agencies including the U.S. National Security Agency have set their sights on finding a way to crack Tor’s security, and Russian President Vladimir Putin recently announced a $110,000 bounty for anyone able to penetrate the anonymous network increasingly used by Russian dissidents.

The Tor Project has released an update to its software that should close the particular hole the attackers used.